|
StarForce专业版3.0 那位有呀?谢谢先
看介绍这东东还真是不错,一直想找一种这样软件呢,支持的说 |
|
tELock v0.99 独家发布
Thanks |
|
新手脱壳游戏――UnPackMe
有时间,老大详细说下,我第一次那种算是在重定位后脱的吗? |
|
新手脱壳游戏――UnPackMe
老大们,给点意见啊,我那么做算是脱壳了吗? |
|
新手脱壳游戏――UnPackMe
另: 若在运行到je short Try.00417049之前,先跟进下面的call ebx 00416FF1 . FFD3 call ebx ; 00416FF3 . 8B7C24 2C mov edi, dword ptr ss:[esp+2C] 00416FF7 . 8B4C24 28 mov ecx, dword ptr ss:[esp+28] 00416FFB . 8B5424 20 mov edx, dword ptr ss:[esp+20] 00416FFF . 8B72 18 mov esi, dword ptr ds:[edx+18] 00417002 . 2BCF sub ecx, edi 00417004 . 8B3D 38F14100 mov edi, dword ptr ds:[<&USER32.De>; USER32.DestroyWindow 0041700A . 03CE add ecx, esi 0041700C . 83C4 0C add esp, 0C 0041700F . 84C0 test al, al 00417011 . 890D 441B4200 mov dword ptr ds:[421B44], ecx 00417017 . 74 30 je short Try.00417049 进入call ebx后来到 003DE670 83EC 3C sub esp, 3C 003DE673 56 push esi 003DE674 57 push edi 003DE675 8B7C24 48 mov edi, dword ptr ss:[esp+48] 003DE679 33F6 xor esi, esi 003DE67B EB 03 jmp short 003DE680 003DE67D 8D49 00 lea ecx, dword ptr ds:[ecx] 003DE680 A1 DC1D4200 mov eax, dword ptr ds:[421DDC] 003DE685 8B0D D81D4200 mov ecx, dword ptr ds:[421DD8] 003DE68B 8B15 D01D4200 mov edx, dword ptr ds:[421DD0] 003DE691 50 push eax 003DE692 8B44F7 04 mov eax, dword ptr ds:[edi+esi*8+4> 003DE696 51 push ecx 003DE697 8B0CF7 mov ecx, dword ptr ds:[edi+esi*8] 003DE69A 6A 00 push 0 003DE69C 52 push edx 003DE69D 50 push eax 003DE69E 51 push ecx 003DE69F E8 CC7B0300 call Try.00416270 003DE6A4 83C4 18 add esp, 18 003DE6A7 66:894474 10 mov word ptr ss:[esp+esi*2+10], ax 003DE6AC 46 inc esi 003DE6AD 83FE 02 cmp esi, 2 003DE6B0 ^ 7C CE jl short 003DE680 003DE6B2 8B5424 4C mov edx, dword ptr ss:[esp+4C] 003DE6B6 3B5424 10 cmp edx, dword ptr ss:[esp+10] 003DE6BA 75 4C jnz short 003DE708 ;只要不上这句跳,下面mov dword ptr ds:[edi+ecx], eax这里,就会还原3ddf00处的代码. 003DE6BC 33FF xor edi, edi 003DE6BE 33F6 xor esi, esi 003DE6C0 A1 DC1D4200 mov eax, dword ptr ds:[421DDC] 003DE6C5 8B0D D81D4200 mov ecx, dword ptr ds:[421DD8] 003DE6CB 8B15 D01D4200 mov edx, dword ptr ds:[421DD0] 003DE6D1 50 push eax 003DE6D2 A1 E41D4200 mov eax, dword ptr ds:[421DE4] 003DE6D7 51 push ecx 003DE6D8 8B4C06 04 mov ecx, dword ptr ds:[esi+eax+4] 003DE6DC 6A 00 push 0 003DE6DE 52 push edx 003DE6DF 8B1406 mov edx, dword ptr ds:[esi+eax] 003DE6E2 51 push ecx 003DE6E3 52 push edx 003DE6E4 E8 877B0300 call Try.00416270 003DE6E9 8B0D E01D4200 mov ecx, dword ptr ds:[421DE0] 003DE6EF 89040F mov dword ptr ds:[edi+ecx], eax 003DE6F2 83C6 08 add esi, 8 003DE6F5 83C4 18 add esp, 18 003DE6F8 83C7 04 add edi, 4 003DE6FB 83FE 20 cmp esi, 20 003DE6FE ^ 7C C0 jl short 003DE6C0 循环还原3ddf00处的代码 003DE700 5F pop edi 003DE701 B0 01 mov al, 1 003DE703 5E pop esi 003DE704 83C4 3C add esp, 3C 003DE707 C3 retn 返回之后 00417017 . 74 30 je short Try.00417049这就不跳了,软件就可直接正常运行. 但感觉上我好像只是去除了NAG,好像并没有实现脱壳? |
|
新手脱壳游戏――UnPackMe
这样算是脱壳了吗? 在看到kimmal兄的提示后,才算搞定,但体积还很大,不会修了. 我跟到 00417017 . /74 30 je short Try.00417049 ;运行到这行时,ESI=d4d0 00417019 . |A1 40104200 mov eax, dword ptr ds:[421040] 0041701E . |50 push eax 0041701F . |E8 910A0000 call Try.00417AB5 00417024 . |FF15 441B4200 call dword ptr ds:[421B44] 0041702A . |8B0D 441B4200 mov ecx, dword ptr ds:[421B44] 00417030 . |51 push ecx 00417031 . |E8 7F0A0000 call Try.00417AB5 00417036 . |8BB424 4C010000 mov esi, dword ptr ss:[esp+14C] 0041703D . |83C4 08 add esp, 8 00417040 . |56 push esi 00417041 . |FFD7 call edi 00417043 . |8B4424 34 mov eax, dword ptr ss:[esp+34] 00417047 . |EB 6F jmp short Try.004170B8 发现如果使je short Try.00417049不跳转,则到call dword ptr ds:[421B44]里会是这样 003DDF00 0000 add byte ptr ds:[eax], al 003DDF02 0000 add byte ptr ds:[eax], al 003DDF04 0000 add byte ptr ds:[eax], al 003DDF06 0000 add byte ptr ds:[eax], al 003DDF08 0000 add byte ptr ds:[eax], al 003DDF0A 0000 add byte ptr ds:[eax], al 003DDF0C 0000 add byte ptr ds:[eax], al 003DDF0E 0000 add byte ptr ds:[eax], al 003DDF10 79 FF jns short 003DDF11 003DDF12 FF33 push dword ptr ds:[ebx] 003DDF14 C055 68 E8 rcl byte ptr ss:[ebp+68], 0E8 ; Shift constant out of range 1..31 003DDF18 D840 00 fadd dword ptr ds:[eax] 003DDF1B 64:FF30 push dword ptr fs:[eax] 003DDF1E 64:8920 mov dword ptr fs:[eax], esp 003DDF21 E8 06B2FFFF call 003D912C ; jmp to comctl_1.InitCommonControls 而如果从je short Try.00417049这跳转,会弹出提示注册窗口,点否后,从下面的JNZ跳走 004170B1 . 56 push esi ; |hOwner 004170B2 . FF15 40F14100 call dword ptr ds:[<&USER32.Messag>; \MessageBoxA ;提示注册的窗口 004170B8 > 83F8 06 cmp eax, 6 004170BB . 6A 00 push 0 ; /lParam = NULL 004170BD . 0F85 57010000 jnz Try.0041721A ; 选否后,这里跳转 004170C3 . 8B3D 44F14100 mov edi, dword ptr ds:[<&USER32.Cr>; |USER32.CreateWindowExA 004170C9 . 6A 00 push 0 ; |hInst = NULL 从jnz Try.0041721A 会跳到下面 0041721A > \8B0D E81D4200 mov ecx, dword ptr ds:[421DE8] 00417220 . 51 push ecx 00417221 . 8D5424 2C lea edx, dword ptr ss:[esp+2C] 00417225 . 52 push edx 00417226 . FF15 40104200 call dword ptr ds:[421040] 0041722C . 8AD8 mov bl, al 0041722E . A1 40104200 mov eax, dword ptr ds:[421040] 00417233 . 50 push eax 00417234 . E8 7C080000 call Try.00417AB5 00417239 . 83C4 10 add esp, 10 0041723C . 84DB test bl, bl 0041723E . 74 06 je short Try.00417246 00417240 . FF15 441B4200 call dword ptr ds:[421B44] 00417246 > 8B0D 441B4200 mov ecx, dword ptr ds:[421B44] 0041724C . 51 push ecx 0041724D . E8 63080000 call Try.00417AB5 这时走到00417240 . FF15 441B4200 call dword ptr ds:[421B44]时,发现里面的代码已经修复正常了 003DDF00 55 push ebp 003DDF01 8BEC mov ebp, esp 003DDF03 83C4 F0 add esp, -10 003DDF06 53 push ebx 003DDF07 56 push esi 003DDF08 57 push edi 003DDF09 B8 68D44000 mov eax, 40D468 003DDF0E E8 5579FFFF call 003D5868 003DDF13 33C0 xor eax, eax 003DDF15 55 push ebp 003DDF16 68 E8D84000 push 40D8E8 003DDF1B 64:FF30 push dword ptr fs:[eax] 003DDF1E 64:8920 mov dword ptr fs:[eax], esp 003DDF21 E8 06B2FFFF call 003D912C ; jmp to comctl_1.InitCommonControls 然后,根据kimmal兄脱出来的文件,知道OEP是40d4d0,把这部分修复好的代码粘过去,再dump就行了. 不过还不会自己确定出正常的OEP 望各位指教 |
|
新手脱壳游戏――UnPackMe
努力中...... |
|
[译]深入剖析AsProtect <<AsProtected Notepad!>>
支持,原版的链接已经打不开了 |
|
Morphine 的简单脱壳方法
一个无私奉献的老师.感谢 |
|
morphine求助
OD载入后停在此: 005215CC > C1F9 20 sar ecx, 20 ; Shift constant out of range 1..31 005215CF 53 push ebx 005215D0 55 push ebp 005215D1 66:BD 9F06 mov bp, 69F 005215D5 5D pop ebp 005215D6 5B pop ebx 005215D7 F9 stc 005215D8 57 push edi 005215D9 66:BF EE51 mov di, 51EE 005215DD 5F pop edi 005215DE 84E4 test ah, ah 005215E0 66:83E3 FF and bx, 0FFFF 005215E4 3AE5 cmp ah, ch 005215E6 60 pushad 005215E7 7D 04 jge short Morphine.005215ED 005215E9 66:83E4 FF and sp, 0FFFF 005215ED 2D 00000000 sub eax, 0 此时各寄存器内容为: EAX 00000000 ECX 0012FFB0 EDX 7FFE0304 EBX 7FFDF000 ESP 0012FFC4 EBP 0012FFF0 ;*******************注意这里 ESI 77F5166A ntdll.77F5166A EDI FFFFFFFF EIP 005215CC Morphine.<ModuleEntryPoint> ###################################################################################################### 当执行到5125e7一句后,看下堆栈 0012FFA4 FFFFFFFF 0012FFA8 77F5166A RETURN to ntdll.77F5166A from ntdll.77F78C4E 0012FFAC 0012FFF0 ;**********注意这里 0012FFB0 0012FFC4 0012FFB4 7FFDF000 0012FFB8 7FFE0304 0012FFBC 0012FFB0 0012FFC0 00000000 0012FFC4 77E614C7 RETURN to kernel32.77E614C7 下hr 12ffac,然后F9运行,会中断在: 005210DC 83C4 04 add esp, 4 005210DF 5B pop ebx 005210E0 5A pop edx 005210E1 83C4 08 add esp, 8 005210E4 894C24 04 mov dword ptr ss:[esp+4], ecx 005210E8 FFE0 jmp eax ;直跳4010cc入口而去 005210EA 55 push ebp 005210EB 89E5 mov ebp, esp 005210ED 81EC 00020000 sub esp, 200 005210F3 53 push ebx 执行完005210E8 FFE0 jmp eax这句后,就跳到了记事本的入口点了 去掉之前的硬件断点,然后运行PETools,为何不用LordPE?发现LordPE无法直接Dump完全这个EXE进程的数据。 设置PETools的任务察看器选项为全部不选择,完全dump这个进程,即可直接运行了,不用修复IAT(但这样可能不能跨平台运行吧) |
|
|
|
讨论――Obsidium V1.2
9494。要是能多写几篇文章,对于我们的帮助无疑是非常巨大的 |
|
|
|
|
|
PEMonitor源代码发布
支持共享 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值